Archive for September, 2008

The streaming experience has improved over the years as our Internet connections have gotten faster. Not everyone understands that streaming actually depends on technologies and protocols different from those used for viewing Web pages or for downloading files.

What Is Streaming?

Streaming refers to the technique of continuous and steady digital data (audio, video, or graphics) transfer as “packets” in real-time from a data server through the Internet to a user’s computer. Media files can played in a browser using an embedded plug-in or in a media player. The smoothness of the media stream depends upon the speed of the connection. Multiple versions in terms of quality (high, medium, or low) can be made available for different connection speeds. For slow connections, glitches in frames and delayed or no audio will occur.

A key factor is the compression method used for the media files so they can be streamed seamlessly. Due to compression, some data quality is compromised through perceptual encoding, that is, the audio/video is stripped down in such a way that the changes cannot be easily perceived. Usually, perceptual encoding refers to lossy audio encoding in which psychoacoustics is used to determine what audio signals to encode and what to snip out.

Large media files are encoded using codecs to smaller sizes. Thus you have MOV, RM, etc.

Real Networks, QuickTime, Windows Media and Macromedia Flash are the most common streaming technologies. Windows Media and RealNetworks are the most popular, and broadcasters assume that the player plug-in is installed on the viewer’s browser.

QuickTime is installed on all Macs. Also, installation of Macromedia Flash is required in most cases.

Types of Streaming

Streaming technology thus encompasses media content, the streaming server, plug-in, and encoding software. Streaming is of two types—progressive and real-time. During progressive streaming, the media file can be viewed or listened to while the file is in being downloaded. In the case of data loss, re-transmission of lost packets is possible. Media files streamed using the progressive technique gets saved on the viewer’s hard drive, which raises the problem of redistribution. HTTP streaming is a type of progressive streaming where the media file begins to play before it is entirely downloaded. In the case of HTTP streaming, a request for data remains open even after the data is received by the client, so that the server can respond at any time.

In real-time streaming, media content gets downloaded temporarily to the user’s computer. Almost-live broadcast of content is possible. Content streamed real time can adjust according to the user’s connection capacity; if the connection is too slow, the transmission of data would break.

Media streams can also be distinguished as “on demand” or “live.” The former are stored on servers for long periods of time, becoming available to be transmitted to the user upon request. Live streams are available only at a particular time—like the streaming of a live T V broadcast.

Streaming server software package, the Real Time Streaming Protocol (RTSP) to control the interaction, and a matching client is needed for real-time streaming.

Transmission Protocols

Internet Protocols play an important role in media file transmission. Transmission protocols such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP), RTSP, and Real-time Transport Protocol (RTP) are used.

TCP is “reliable”: data transmission happening via TCP is not blocked, and every bit is guaranteed to be transmitted. However, UDP is efficient since priority is given to continuous streaming of data rather than re transmission of lost packets. The user can suffer streaming glitches, but by error-correction techniques, lost data can be recovered. UDP is widely used for real-time streaming of audio, video, and graphics files.

RTSP and RTP are widely used for real-time media delivery over the Internet. Through RSTP, the user can communicate with the streaming server; it is used for simple one-to-one streaming. The user also gets the preference of device control—for viewing any part of the stream. This protocol is a good performer for one-to-

one viewing and larger audiences as well.

This protocol is usually used for streams via unicast (for transmission to a single client computer) or multicast (for transmission to multiple client computers) servers. Unicast is the term for when data is transferred from one point to another point, that is, one client and one server. Multicast is where data is transferred from one or more points to multiple points.

RTP is used for transmitting live streams to multiple users, but the users do not enjoy any sort of control like selective play of the media stream.

Legalities

Legal issues revolve around users being able to record the streaming of copyrighted content. It is difficult to stop such recording. Broadcasters sometimes use encryption for media content to make it difficult to record content.

You’ve heard about “Gnome” and “KDE” and more—these Linux-related things are “Desktop Environments.” If you’re making the switch, which one is for you?

If you’re a Windows user who hasn’t experimented with the myriad of free Linux distros available, this one’s for you. Let’s take a look at some of the most popular Linux Desktop Environments that sit on top of the Operating System (OS). A Desktop Environment (DE) typically provides a GUI: windows, icons, folders, toolbars, and abilities like dragging and dropping of files from one folder to another. Any DE will therefore include a window manager, file manager, taskbar, and more.

GNOME

The GNU Network Object Model Environment, or GNOME, is an international open source effort to build the simplest and most intuitive GUI for a DE. It’s one of the few DEs that have consistently matched their production timelines, releasing a new version every six months. Currently, it stands at version 2.24. This version focuses on document security, and incorporates privacy features that enable you to digitally sign or authenticate files using Seahorse, an application created for the purpose. That apart, this version also focuses on managing laptop batteries efficiently, and increases the stability and responsiveness of the OS. GNOME’s popularity in the open source world is due to its exhaustive set of developer guidelines— known as Human Interface Guidelines—to be followed when creating an application for the environment. The guidelines ensure applications don’t look too different from each other, and that some basic options like closing, minimizing, and re-sizing, among others, are placed in the same location across all applications. GNOME’s design keeps novices in mind. The DE does not have a lot customization options, and contains menus with an exhaustive set of explanation notes. The main reason most Windows converts should stick to this DE is because it provides a well-documented FAQ section, and a very active online community that will answer any newbie’s questions.

KDE

The K Desktop Environment, or KDE, is another DE that runs on UNIX and Linux distros. KDE believes in the manifesto that all components used to build the DE, and the applications that come bundled with it, have to be free and open source in the truest sense of the word, with no restrictions whatsoever on the user. The major difference from GNOME lies in the fact that KDE is not entirely geared towards the novice. It allows for complete customization, which might intimidate; having said that, there are a good set of applications that allow you to start using a KDE-based distro as soon as you install it. Applications like KOffice, Amarok, and Konqueror are some of the more popular KDE applications. KDE allows you to mimic OSes such as Mac OS X, so if you’re the type who likes to have complete control over each and every aspect of his OS, this is the platform you might want to use. The most popular distributions on this platform include Fedora (formerly Fedora Core)—though it’s not the default environment—and Knoppix.

Xfce

Unlike GNOME or KDE, Xfce is a lightweight DE designed to work with computers that have both older and newer hardware. It is very user-friendly, and incorporates a minimal set of customizable options. The file system hides system and configuration files from view so they can’t be tampered with by the novice. In comparison to GNOME or KDE, Xfce is regarded the most responsive DE. It uses its own file manager, called Thunar. One advantage of using Xfce is its install size, all of 50 MB to be exact. Popular distros that use Xfce as their default DE include Xubuntu, SLAX, and dyne:bolic.

There are other DEs not as popular as the three above, but worth a mention:

Mezzo

A proof-of-concept DE based on the “Laws of Interface Design.” It aims at presenting all information collectively, in one place, thereby completely debunking popular concepts such as the Desktop being a folder, and the menu system having nested folders. Instead, it presents all the needed information on the Desktop, and holds tasks and files related to “System”, “Files”, “Programs”, and “Trash” in four windows on the screen. Mezzo is available as a .deb package, which is like an .exe file in Windows, for installation on all

Debian-based distros like Ubuntu, Freespire, and Knoppix.

Project Looking Glass

A DE written entirely in Java, Project Looking Glass aims at creating 3D Desktop Environment that can run on computers with low-end hardware. One of the most notable features is the creation of “reversible windows”: you can write notes or leave comments on the back of any window! Windows can be tilted or rotated to the angle of your choice, and can also be made semi-transparent.

We can consider SHARED HOSTING is like living in an apartment building and sharing your neighbours’ problems. You hear their music through the wall. If one of them leaves the main door open, your security is at risk.

On a shared server, all the website hostings share the operating system and resources. Problems with your neighbours’ website hostings can slow down the server performance or require it to be shut down while the problem is being fixed. The slowdowns may also resulted from having too many website hostings on a server. Your site’s security depends in part on decisions made by your web host and, perhaps, your neighbours too.

Depending on your neighbours and, to a larger extent, your web host, you may have few or no problems with a shared hosting account. By sharing the resources, the cost is more economical than a VPS Hosting. Furthermore, for a basic website hosting, you require little or no technical knowledge to maintain your website hosting.

The majority of website hostings are on shared servers.

Where VPS Hosting HOSTING is more like living in a townhouse with your own private yard, and without ever hearing your neighbours. The only common area you share is the parking area and entrance; all traffic goes through one network port. In contrast to apartments or shared hosting accounts, you pay more for a VPS Hosting, but you can do what you want with the space, and your neighbors’ problems aren’t your problems.

VPS Hosting gives you the features and functionality of a dedicated server without the cost of building and maintaining one. If you need to host unlimited domains, have complete control of your environment and run your own applications, then you will benefit from having a VPS Hosting. In addition, a VPS Hosting provides the ability to manage your dedicated environment directly through SSH or Remote Desktop Connection. In addition, you can add a control panel like cPanel to our Linux VPS Hosting Plus plan. The control panel enables the administrative user to perform actions to their VPS Hosting immediately, without having to contact support to have a technician to complete any necessary requests.

If you’re reading this, you know what an IP (Internet Protocol) is – it looks something like 92.48.119.22. and all Internet hosts have one. Now, what we use today is called IPv4 – version 4; the not-so-distant future network will use IPv6, or IPng (Then “ng” is for “Next Generation”).

Address Space
The first and most-oft-cited reason for the move to IPv6 – the evolutionary successor to IPv4 – is the addressing space. IPv4 allows for about four billion unique addresses, which seems enough – after all there are only about six billion people. But there are at least two reasons why we’ll be running out of addresses. First, IPv4 addresses are classified as class A. class B, and so on. Think of IBM, which has been assigned the class A range of 9.0.0.0 to 9.255.255.255. there are almost 17 million Addresses – most of them unused, of course. Simply telling IBM to take a smaller range just won’t do it! Second and more interesting, in fact that more and more devices – not just computers – will be connected to the information network of future: your mobile phone , your smart fridge and even your alarm clock. To accommodate all these will require something much more than four billion and that’s one major raison d’être for IPv6.

Why not NAT?You might have heard of NAT (Network Address Translation). An office for example, might have a LAN, where 40 individual computers show up as just one IP to external world – the NAT router takes care of what traffic from the outside should be routed to which computer on the inside. Now, this may look like a perfect solution since 39 IPs have been conserved. There are several reasons cited for why this is not the ideal solution, amongst them the fact that hosts on the outside with “real” addresses can’t initiate communication with the “NATted” computers. Also direct, P2P communication is not possible if a network is NATted, because of the router.

What it Look Like?There are different types of IPv6 addresses, but not to get into the details, a typical address looks like FECC:B672:391C:2322:CD51:AAEE:3DEC:0921.

This is a stringing of eight 16-bit hexadecimal values, and means a 128-bit address space – which in turn means 3.4×1038, addresses – you don’t need to imagine that number; it’s practically infinite!

If an address has long sub-strings of all zeroes, the sub-strings can be abbreviated by a double colon. In addition, up to three leading zeroes per four hex values can be omitted. Taking both these together, FECC::1corresponds to FECC: 0000:0000:0000: 0000:0000:0000:0001.

Routing tablesRoutine tables are what enable your Internet packets to reach their destination-they contain information about where a packet should go next en route to its destination. With IPv4, the Internet backbone routers-which control Internet Traffic at the top level-contain routing tables that are already very large, and are growing. This means inefficiency, and further growth will hamper their very functioning.

Now, IPv6 has been designed so that Internet backbone routers will need to have much smaller routing tables. The tables, instead of including every possible route, need only include routes to those routers that are directly connected to them. How that works is beyond our scope here, but suffice it to say that IPv6 solves “the exploding routing table problem” to a large extent.

Other GoodiesThere are several other advantages of IPv6 that justify a worldwide switchover. For example, it Quality of Service (Qos) is inbuilt in IPv6; this, while not essential, is a good thing in VoIP and multimedia, for example. It also allows for prioritization of data-time-sensitive streams such as video conferencing data can be assigned a higher priority than, say, Web browser requests.

Then, in the realm of security, consider IPSec. Short for “IP Security”, it is a set of protocols to support secure exchange of packets. IPSec is widely used in the implementation of Virtual Private Networks (VPNs). IPSec is optional in Ipv4; in IPv6, it’s embedded in the headers. Setting up a VPN through IPv4 requires confirmation that the other user also supports IPSec; IPv6 will eliminate this requirement.

IPv6 brings with is new functions that simplify the configuration and management of the addresses on a network, which are typically labor-intensive. Several tasks performed by a system administrator are automated. For example, the auto-configuration feature in IPv6 can automatically configure router and interface addresses.

There are many more good things about Ipv6, and even more sites from where to get information; for a start, you could try www.ipv6.org.

I have made nice doc for those want to use free email virus checker instead of Dr. Web. (why should i pay more

First check in the System/Services if Dr.Web AV is stopped. Dr.Web AV needs license above the 15th email. There is tested and free alternative.

ClamAV – is available in windows in 2 variants – ClamWIN which is more user friendly and more aimed to scanning computers – and exact replica of Linux ClamAV which is the only working variant supported by Plesk:

2. After enabling “NAT” for your Virtual Private Server, Go to Start >> RUN >> Type “services.msc” in you Virtual Private Server
On the services list, select “Routing and Remote Access” and go to properties. Make the startup type automatic and apply. After that you should have the option to “Start” this service. Start this service as we are going to use this service basically to route our traffic

3. Now go to Start >> Settings >> Control Panel >> Administrative Tools >> Click on the shortcut says “Routing and Remote Access”. It should open the configuration panel of Routing and Remote Access.

4. Now right click on your computer name the click the option says “Configure and Enable remote and routing access”. Before doing this, make sure your Firewall service is stopped and disabled.

5. Now on the configuration wizard click Next to proceed >> In the configuration list select “Custom Configuration”, Press Next >> Select Virtual Private Network Access & NAT and Basic Firewall Option, Press Next >> Now press Finish to end the wizard.

This wizard should enable the PPTP & L2TP Virtual Private Network access to your firewall with private routing capability. Now you need to configure your Virtual Private Server to route the private Traffic to the Public Interface. To do this, we need to have any of the following two:

1. Two network interface to route one to another. or
2. We can use NAT (Network Address Translation) using the Microsoft Loopback adapter.

We will basically work with the 2nd one as Virtual Private Server don’t come with two network interfaces. To continue with the NAT configuration, go to the Routing and Remote Access panel >> Expand ComputerName (Local) >> Expand Ip Routing >> You should find a option says “NAT/Basic Firewall”. Simply right click on that option and use the New interface to add network translation. Now first add the Inferface says “Internal” which is basically for private network access with default settings and on second attempt add your main adapter to the NAT list and select the options says “Public Interface connected to this inferface” and select the option says “Enable NAT on this interface”.

Now your network should have the address translation working, that means your private requests should be now translated and you can use this Virtual Private Network as your internet gateway.

Now to allow your users to use Virtual Private Network, add a new user and from the properties allow its Dial In permission. User with Dial-In permission should be able to login using Virtual Private Network.

You probably know what TCP/IP is; any computer using TCP/IP will have a unique IP address by which data in the form of packets is sent and received from other computers. The process of passing data packets from one computer to another by analyzing the ”routing tables” to reach the destination is known as routing. A routing table is a database of defined rules that determines the best path for data packets as they go towards their destination IP address. The process of routing is performed by a device called a router. But IP addresses used for internal or private networks are not registered; they are referred to as local IP addresses. These addresses are used for data transmission within the LAN, and are not visible on the Internet. For data transmission from the internal network to the Internet, the local IP is registered as a global IP address by Network Access Translation (NAT). NAT provides security by hiding internal IP addresses, enables the use of more IP addresses without the possibility of IP conflicts, and multiple ISDN (Integrated Services Digital Network) connections appear as a single Internet connection. This provides a first line of defense, but because NAT only translates IP addresses, a firewall is usually used in conjunction with a NAT router for security against incoming data packets from the Internet. The firewall could be software or hardware.

In Some Detail: NAT

NAT is a standard that enables use of separate sets of IP addresses for internal and external traffic. The translation of local IP addresses to a global IP is done on a one-to-one (one internal address to one global address) or many to many-to-one (a group of internal address to one global address) basis while connecting to the Internet. NAT can be used by a computer, a router, or a firewall. NAT has several forms, such as static, dynamic, overloading, and overlapping. Static NAT translates any unregistered local IP on a one-to-one basis to a registered global IP address. The Internet Assigned Numbers Authority (IANA) has reserved three blocks of the IP address space for private networks:

Any enterprise can use such IP addresses, and these will be unique within that enterprise. When the enterprise needs to connect to the Net, it needs to get a unique global / public IP address from the Internet registry. That public IP address will never be assigned from the three blocks for private networks. As an example, 192.168.21.14 will be translated as 212.15.48.105 and used for external traffic. Dynamic NAT translates any local unregistered IP address to a registered global IP address from a group or range of global IP addresses. For example, 192.168.21.14 will be translated to any of the global IP addresses ranging from 212.15.148.105 to 212.15.148.120. In the case of overloading, each IP address on the private network is translated to a registered IP address, but with a different port number. The internal IP might be in use by any other network. In some cases, the internal IP range might be a registered range in use by another network. Here, the NAT translates addresses to avoid potential conflicts. This is called overlapping. It can be done by using static NAT or by using DNS and dynamic NAT. Firewalls are intrusion protection systems to prevent packets from unsecured, unknown, or unauthorized locations coming in. Firewalls can be software or hardware. Software firewalls are installed inside the System OR Dedicated Server OR VPS (Virtual Private Server). Some good examples of Software Firewall which are widely used are IPtables, CSF etc. (For Linux Servers) and Windows default Firewall, Deerfield, Comodo etc. (For Windows Servers).NAT routers offer packet-filtering firewalls (hardware). These examine the source IP address and port, as well as the destination IP address and port, to determine whether the packet is to be accepted or dropped.

Hardware Firewalls

On a hardware firewall, user created or predefined rules about data packets to be blocked from specific TCP/IP ports are configured. The firewall uses a technique of packet filtering by which it examines the header of incoming packets to determine their source and destination. It is then determined whether to take in or exclude the packet. With hardware firewalls, only incoming traffic is restricted, and not outgoing traffic. So a malicious program such as a key logger, which has already entered the local network and is concealed as safe program, can send information to its destination. Also, at times, routing through the router is blocked, and peer-to-peer activity on the network is not possible if the private network uses a NAT-enabled router.

There is debate on whether NAT will be necessary, whether it will provide better security, etc. when IPv6 is implemented.

1.) Firewall Installation
Installing firewall and various other related tools such as CSF, sim. These will prevent unauthorized access to your server and from brute force attacks.CSF (ConfigServer Firewall) http://www.configserver.com/free/csf/install.txtSIM (System Integrity Monitor) http://www.rfxnetworks.com/sim.phpNSIV (Network Socket Inode Validation) http://www.rfxnetworks.com/nsiv.phpLES (Linux Environment Security) http://www.rfxnetworks.com/les.php
these do not prevent exploits of services which you run on your VPS server. Also need to be aware of the installed firewall and you need to open up the additional ports as needed if you add new services/program.

2.) Securing /tmp partition Most of the attacks and exploits use /tmp to work out of any propagate themselves. By mounting /tmp with noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.
You can do it by adding following entry in “/etc/fstab”
====none /tmp tmpfs nodev,nosuid,noexec 0 0
====
save the file and reboot the VPS, now vps get mounted with “nosuid” and “noexec”

3.) Installing Rkhunter (RootKit Hunter) Rkhunter is a very useful security scanning tool that is used to scan for trojans, rootkits, backdoors, local exploits and other security problems. It can be useful to detect any failures in your layers of defense. It’s a cron job that scans your server for security problems.
You can install rootkit using following steps.
====
1. Login to your server via SSH as root.
Then Type: cd /usr/local/src/

6. Now setup RKHunter to e-mail you daily scan reports.
Type: pico /etc/cron.daily/rkhunter.sh
Add The Following:
#!/bin/bash
(/usr/local/bin/rkhunter –update && /usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” supp0rt@trulymanage.com) Replace the e-mail above with your e-mail. It is best to send the e-mail to an e-mail off-site so that if the server is compromised then hacker can’t erase the scan reports.
Type: chmod 700 /etc/cron.daily/rkhunter.sh
====
Please refer the following URL for more details on rootkit

http://www.rootkit.nl/projects/rootkit_hunter.html

4.) Securing MySQL Database
MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy target for attacks. You can secure the Mysql using the tutorial.

5.) Upgrade Apache/PHP, MySQL to latest version
make sure your running the latest secure versions of commons software components. This is the important step in preventing your server getting cracked by common exploits. There will be no problem in up-gradation, but if you have specific version requirements for particular applications, some upgrades should be made with caution.

6.) Installing Mod_Security
ModSecurity is an open source intrusion detection and prevention engine for web applications and helps in preventing attacks on programs that would be vulnerable; it acts as a powerful shielding application from attacks. ModSecurity supports both branches of the Apache web server.
This can be fine tuned, but you may limit some “power” user customers (easily rectified).

http://www.modsecurity.org/

7.) Disable non-root access to unsafe binaries.
Many exploits use well known executables already on your system as part of their bag of tools. By allowing only privileges to root to these files, you can avoid many attacks to not function.
You may find some binaries like “wget, lynx, scp etc ” too useful to limit access to root only, despite being useful to crackers too.

8.) Enabling PHP suEXEC
When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually “nobody” or “apache”. Suexec is a mechanism supplied with Apache that allows to execute CGI scripts as the user they belong to, rather than Apache’s user. This improves security in situations where multiple mutually distrusting users have the possibility to put CGI content on the server.

This means the scripts are executed as the user that created them. If user “supp0rt” uploaded a PHP script, you would see it was “supp0rt” running the script when looking at the running processes on your server. It also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).

Switching to the PHP Suexec module on the servers affects the users that depended on the configuration in the .htaccess file are panicking because their site not works anymore. This is not really a reason to be panic, what can you do in this situation is simple. Try to move as much configurations from your .htaccess file to the php.ini file. The php.ini is a simple text file that can be places in every directory from your server. It will affect only that directory and not the entire site. In addition, there could be some performance loss (also known as seeing a higher server load) as a result of all php scripts being ran as a separate CGI instead of as part of the Apache module.

9.) Disable SSH root access
Allowing the root user to login directly is a major security issue, because a brute force attack can use the known username ‘root’ and concentrate on password variations. By using a unique username (not something like admin) you can reduce the chance of a successful brute force attack. This will force a hacker to have to guess 2 separate passwords to gain root access (you do have 2 separate passwords for unique user’s and root right?)

10.) Changing SSH Port
One common security precaution that system admins use is to set ssh to listen on a non-standard port (e.g. port 9989, 9898, etc). It is common for hackers to attempt ssh daemon exploits that tend to be very specific to the version of openssh that is running. By having sshd listen to a different port, instead, then you are reducing the risk of a general port 22 scan and hack. Changing port is an additional layer of security. Although this is a kin to security by obscurity, it can let you completely avoid many script attacks.